The U.S. Department of Education Office of Federal Student Aid issued an electronic announcement in May regarding changes to the treatment of federal tax information (FTI) that will take effect for the 2024–2025 financial aid award year. In particular, the designation of FTI as controlled unclassified information may hold implications for institutional compliance with NIST SP 800-171.
On May 12, the U.S. Department of Education (ED) Office of Federal Student Aid (FSA) issued an electronic announcement about forthcoming changes to how FSA receives and handles the federal tax information (FTI) used to calculate financial aid awards for families and applicants seeking assistance. The announcement describes FSA's "expectations pertaining to the treatment of FTI received for the 2024–2025 award year and beyond and addresses an institution's obligation to ensure the privacy and security of FAFSA data (including FTI)."Footnote1
Since 2009, applicants and families have used the Internal Revenue Service (IRS) data retrieval tool to transfer their FTI from the IRS to complete the Free Application for Federal Student Aid (FAFSA) form. This procedure does not require ED to directly receive FTI. As a result, ED was not subject to cybersecurity and other requirements associated with handling FTI. In the interest of providing a simpler FAFSA process, Congress passed the Fostering Undergraduate Talent by Unlocking Resources for Education (FUTURE) Act in 2019. The FUTURE Act includes a provision that changes how FTI is handled beginning in the 2024–2025 award year by permitting the IRS to disclose FTI directly to ED.Footnote2
This change posed new cybersecurity compliance challenges for both ED and higher education institutions, as the Internal Revenue Code (IRC) requires entities receiving federal taxpayer information to follow IRS information security guidelines for storing and handling such data. Those requirements, which are outlined in IRS Publication 1075: Tax Information Security Guidelines for Federal, State, and Local Agencies (IRS 1075), are equivalent to complying with the NIST SP 800-53 cybersecurity framework at the "moderate" level. The NISP SP 800-53 standard would pose significant compliance challenges for many colleges and universities. However, technical amendments enacted as part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act specified that the redisclosure of FTI to colleges and universities is not among the FTI uses that are subject to IRS 1075. Therefore, higher education institutions do not have to comply with the NIST SP 800-53 cybersecurity framework for FTI that is redisclosed to them for Federal Student Aid purposes.
The announcement from FSA reiterates that colleges and universities are not subject to IRS 1075. However, it raises other potential compliance considerations that are worth noting. In the announcement, FSA states that "all FTI received by our partners is classified as (controlled unclassified information) CUI//SP-TAX and is permitted, with approval by the applicant and, if applicable, their parent(s) or spouse, for redisclosure by the Department to our partners under Section 6103(l)(13)(D)(iii) of the IRC. While our partners are not subject to IRS Publication 1075 - Tax Information Security Guidelines, we encourage our partners to use this publication as a resource when developing and implementing information security standards as it pertains to FTI."Footnote3 Given its CUI designation, FTI falls under the National Archives and Records Administration's (NARA's) CUI program. As such, it would carry NIST SP 800-171 security requirements with it once such requirements are extended by ED to institutions via the terms and conditions of a relevant agreement or agreements, per the CUI program regulations.
The uniform Federal Acquisition Regulation (FAR) clause that federal agencies will use to integrate the requirements of the NARA CUI program into contracts and grants, including the 800-171 cybersecurity standard, has yet to materialize. However, as explained in guidance from NARA, the CUI program regulations make it clear that agencies sharing CUI with "any non-executive branch entity," such as a college or university, should either enter into a new agreement with the entity or modify the terms of an existing agreement with the entity to extend the CUI program requirements, including compliance with NIST SP 800-171 in relation to the handling of CUI, to the entity.Footnote4 The FSA announcement stressed that FTI shared with higher education institutions is CUI and highlighted that prior to the start of the 2024–2025 financial aid cycle, all institutions with Student Aid Internet Gateway (SAIG) Agreements will have to sign a revised agreement that accounts for the direct use of FTI in the financial aid process.Footnote5 This raises the question of whether ED will require institutions to attest to 800-171 compliance when signing their new SAIG Agreements. Given that the new FTI sharing process will take effect beginning July 1, 2024, institutions may be concerned that FSA could introduce a new 800-171 compliance mandate that would take effect at the same time.
The FSA announcement on FTI indicates that FSA will release the new version of its SAIG Agreement this fall, and we may not know until the text is available whether and how FSA might introduce an 800-171 compliance mandate.Footnote6 EDUCAUSE will continue to monitor developments related to FSA's July 1, 2024, changes to the handling and disclosure of FTI. We will also request that FSA notify the higher education community as early as possible about if and when it will require institutional compliance with 800-171 in relation to student financial aid data. In the meantime, EDUCAUSE members should notify their financial aid administration colleagues about the possibility that the FTI change may involve new and rather serious cybersecurity compliance language in forthcoming SAIG Agreements.
Notes
- (GENERAL-23-34) Access and Use of Federal Tax Information (FTI) for Federal Student Aid Programs Beginning with the 2024–25 FAFSA Processing Cycle, U.S. Department of Education Office of Federal Student Aid, May 12, 2023. Jump back to footnote 1 in the text.
- FUTURE Act, National Association of Student Financial Aid Administrators (website), accessed June 22, 2023. Jump back to footnote 2 in the text.
- (GENERAL-23-34), Office of Federal Student Aid, May 12, 2023. Jump back to footnote 3 in the text.
- CUI Notice 2018-01: Guidance for Drafting Agreements with Non-Executive Branch Entities Involving Controlled Unclassified Information (CUI), National Archives and Records Administration Information Security Oversight Office, January 24, 2018. Jump back to footnote 4 in the text.
- (GENERAL-23-34), Office of Federal Student Aid, May 12, 2023. Jump back to footnote 5 in the text.
- Ibid. Jump back to footnote 6 in the text.
Kathryn Branson is a Partner at Ulman Public Policy.
© 2023 EDUCAUSE. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.